Controlling FTP Server Access

You can use the following configuration files in the /etc/ftpd directory to control
access to the FTP server.

ftpusers is used to list users who are denied access to the FTP server.

ftphosts is used to allow or deny login from various hosts to various accounts on the FTP server.

ftpaccess is the main FTP configuration file. The FTP server only reads the /etc/ftpd/ftpaccess file if called with the -a option. When the ftpaccess file is used, all users must be members of a class to be allowed access to the FTP server. You can specify many ftpaccess directives that apply only to a particular class.

How to Define FTP Server Classes

To log in to the FTP server, users must be members of
a class when the ftpaccess file is used. To add the class
directive to the ftpaccess file, you specify the class name, typelist of users
who are permitted access from a particular host.

The previous example defines the local class as any user of the type
real, guest, or anonymous who logs in from *.provider.com. The last line defines
remote as any user who logs in from anywhere other than *.provider.com.

How to Set User Login Limits

You can limit the number of simultaneous logins by users of a
certain class with directives that are set in the ftpaccess file. Each login limit
contains the name of a class, a UUCP-style days-of-week list, and a message
file to display if the limit is exceeded.

The first line of the preceding example shows a limit of 50
simultaneous logins that are allowed to users of class anon during weekly work hours.
The second line limits anon users to 100 simultaneous logins outside of working
hours. The last line shows a limit of 100 guest logins that
are allowed at any time. For information on how to specify day and
time parameters, see ftpaccess(4).

The example further indicates that the content of the file /etc/ftpd/ftpmsg.deny is
returned when a specified login limit is reached, assuming ftpmsg.deny exists. For
information on using the /usr/sbin/ftpcount command to view the number and login
limit for each class of user who is logged in at a particular
time, see ftpcount(1).

Users are allowed login to the FTP server unless a specified limit
is reached. Anonymous users are logged in as the user ftp. Real users
are logged in as themselves, and guests are logged in as real users
with a chroot environment to limit access privileges.

For information on using the /usr/sbin/ftpwho command to check the identities of the
users logged into the FTP server, see ftpwho(1).

How to Control the Number of Invalid Login Attempts

If a login to the FTP server fails because of a problem
such as misspelling required information, login is usually repeated. The user is allowed
a specific number of consecutive login attempts before a message is logged to
the syslog file. At that point, the user is disconnected. You can
set a failure limit on the number of login attempts by following steps
in the next procedure.

Keyword that is used to assign the number of login failures that are permitted before the FTP connection is terminated

n

Number of times a login can fail

Example 28-3 Controlling the Number of Invalid Login Attempts

loginfails 10

The preceding example states that the user is disconnected from the FTP server
after 10 failed login attempts.

How to Disallow FTP Server Access to Particular Users

The /etc/ftpd/ftpusers file lists names of users who are not allowed to log
in to the FTP server. When login is attempted, the FTP server checks
the /etc/ftpd/ftpusers file to determine whether the user should be denied access. If
the user's name is not found in that file, the server then searches
the /etc/ftpusers file.

If the user's name is matched in /etc/ftpusers, a syslogd message is written
with a statement that the match was found in a deprecated file. The
message also recommends the use of /etc/ftpd/ftpusers instead of /etc/ftpusers.

Note - Support for the /etc/ftpusers file has been deprecated in this release. If the
/etc/ftpusers file exists when the FTP server is installed, the file is moved
to /etc/ftpd/ftpusers.

Add entries to the /etc/ftpd/ftpusers file for users who are not allowed to
log in to the FTP server.

Example 28-4 How to Disallow FTP Server Access

root
daemon
bin
sys
adm
lp
uccp
nuucp
listen
nobody
noaccess
nobody4

The previous example lists the typical entries in the ftpusers file. User names
match entries in the /etc/passwd. The list generally includes the root and other
administrative and system application identities.

The root entry is included in the ftpusers file as a security measure.
The default security policy is to disallow remote logins for root. The policy
is also followed for the default value that is set as the CONSOLE
entry in the /etc/default/loginfile. See login(1).

How to Restrict Access to the Default FTP Server

In addition to the controls mentioned previously, you can add explicit statements to
the ftpaccess file to restrict access to the FTP server.